Re: [dnsext] DNSSEC, robustness, and several DS records
Brian Dickson <brian.peter.dickson@gmail.com> Mon, 16 May 2011 17:01 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 289DAE06CF for <dnsext@ietfa.amsl.com>; Mon, 16 May 2011 10:01:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rc+BSQx09v86 for <dnsext@ietfa.amsl.com>; Mon, 16 May 2011 10:00:58 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by ietfa.amsl.com (Postfix) with ESMTP id 85EFAE06B3 for <dnsext@ietf.org>; Mon, 16 May 2011 10:00:57 -0700 (PDT)
Received: by fxm15 with SMTP id 15so3724777fxm.31 for <dnsext@ietf.org>; Mon, 16 May 2011 10:00:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=2wGcD5okyrvgFguTrHplYL5FcJHDOTjES1eJ4RBpOjk=; b=IQzaNlCcoY4wtZb379P0baeyG59a/H1QwwjHxdbVk4MTO5Ct6xcdJpnNJ5xei2ZKjv wcdAyuuEDU0/6Xhadk5WBhwxH8hxwkmtZaDPZY8SW2rnnEbgxxVOBQuulxgUXJKXDsgh 64wIFFzRgITqnk4liae6LjYi1/ZnHPfLyhko4=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=b+S7sNAV3gFc6h7oYrHc89AFuq/BW8WsraPeXSHsS5m7NaP0NcNOSZdC2lt27T2jad hImO0DwA8FbTnrf9b23UQ0vrkOFy6QEAcvkYN2Mjt1pPTrRzujXcj0Dn9o5QaiLRlr5z i3gZzbNQTDM15o7Taw8bmNmmwBAciTYC/EjGM=
MIME-Version: 1.0
Received: by 10.223.75.15 with SMTP id w15mr1239793faj.134.1305565256614; Mon, 16 May 2011 10:00:56 -0700 (PDT)
Received: by 10.223.146.65 with HTTP; Mon, 16 May 2011 10:00:56 -0700 (PDT)
In-Reply-To: <20110512012832.296D7EAE55F@drugs.dv.isc.org>
References: <201105112022.p4BKMHmp010275@givry.fdupont.fr> <20110512012832.296D7EAE55F@drugs.dv.isc.org>
Date: Mon, 16 May 2011 13:00:56 -0400
Message-ID: <BANLkTikTiEwLWP10FoqO5wHrVK31RGHR8A@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: Mark Andrews <marka@isc.org>
Content-Type: multipart/alternative; boundary="0015174c19565a024a04a3679955"
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, dnsext@ietf.org
Subject: Re: [dnsext] DNSSEC, robustness, and several DS records
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 May 2011 17:01:03 -0000
On Wed, May 11, 2011 at 9:28 PM, Mark Andrews <marka@isc.org> wrote: > > In message <201105112022.p4BKMHmp010275@givry.fdupont.fr>, Francis Dupont > writes: > > In your previous mail you wrote: > > > > Note that the text in RFC 4509 has a SHOULD, not a MUST. The fact > > that the BIND and Unbound people treat it as a MUST seems like a > > bug. > > > > => I don't understand how the SHOULD can be interpreted in order to > > avoid the "bug" (:-). Seriously you can disagree with RFC 4509 > > but not about the way it has to be implemented, i.e., your concern > > is not about what it should be... > > > > Regards > > > > Francis.Dupont@fdupont.fr > > _______________________________________________ > > dnsext mailing list > > dnsext@ietf.org > > https://www.ietf.org/mailman/listinfo/dnsext > > Agreed. You are either configured to follow the SHOULD or not and > the default is to fail. Now not having a switch to turn it off > means you don't have a work around once you discover that DS is > wrong which requires contacting the administrators for the zone as > they are the only ones that can tell you whether it is wrong or you > are under attack. You can make a educated guess without contacting > the zone administrators. > > Mark > > There are subtleties in the logic for following RFC 4035, which RFC 4509 kind of glosses over with its "SHOULD" recommendation. (IMHO, the "glossing over" is what creates the "bugs", when RFC 4509 is looked at in isolation, without considering RFC 4035.) When both 4035 and 4509 are taken together, those nuances become more obvious. While there is room for different interpretations, some/most of those lead to avoidable problems. BTW - the motivation here is as follows: encode as much logic which is unambiguous as possible, where that logic does not lead to weakness to downgrade attack in the absence of significant operator error. Encoding the "educated guess" into the resolver software minimizes the need for resolver operator intervention to cases that can't be disambiguated. Here's a fundamental arithmetic thing: In order for a SEP to be validated, the DS record has to match all of the Key Tag, the Algorithm, AND the Hash of the DNSKEY. (NB - both the Key Tag and the Hash depend on the Algorithm.) So, two DS records with the same Key Tag, but different Algorithms, CANNOT match the same DNSKEY. (Ditto for same Algorithm/different Key Tags.) So, the important question is, should the "SHOULD" in RFC 4509 apply: - Only to DS RRs that (appear to) refer to a single DNSKEY? - Only to DS RRs which share an Algorithm? - To all DS RRs without looking at Algorithm or Key Tag? When there are two different algorithms, given that we (should) treat all algorithms equally, I'd argue that this is a case where RFC 4509 should NOT apply, IMHO. This was the situation that Stephane experienced, FYI, although in his case the values for Key Tag happened to still match. The separation by Algorithms would have prevented the "bug" from resulting in "Bogus" / "Unknown" from being the validation result. I'd suggest that the most likely scenarios to be seen in production networks will be DS sets that include both SHA-1 and SHA-256 for the same DNSKEY (and thus algorithm), and possibly also additional DS record(s) with only SHA-256 on additional DNSKEY(s). BTW - the reason for having one DS pair with SHA-1+SHA-256 (for one DNSKEY) and another DS with SHA-256 ONLY (for a second DNSKEY), is that the following properties apply: - the SHA-256-ONLY DS *should* only get "touched" when there is activity on the corresponding DNSKEY, and what doesn't get "touched" is unlikely to be "broken". RRSIG validity is orthogonal to "breaking" the content of the DNSKEY and its relationship to the parent's DS record. - the DS with both SHA-1 and SHA-256 involves synchronized data, on two DS records and a DNSKEY record. If the DNSKEY record is updated, and the DS record for SHA-1 is updated but the DS record for SHA-256 is not, this would be indistinguishable from a downgrade attack. When you combine the two bullet points, and you get: - fat fingers can break a single DNSKEY's validation modulo RFC 4509, but is much less likely to invalidate both DNSKEYs if both types (SHA-256 only and SHA-256+SHA-1) are present. Since the attack vectors do not involve the DS sets directly, the presence of DS records for a given algorithm that do not include SHA-256, suggests operator error or deliberate choice, and alongside different algorithms with SHA-256 (with or without SHA-1), those DS records of SHA-1 only should not be ignored. It is still more secure to have the method of implementing RFC 4509 be: (0) validate the DS RRSET via its RRSIG(s). (1) partition the DS RRSET into Algorithm subsets; (2) for each Algorithm, if both SHA-256 and SHA-1 are present, suppress the SHA-1 records (3) do the rest of 4035 using the resulting DS RRSET (using whatever local policy is, e.g. either require all Algorithms to validate, or require any Algorithm to validate) IMHO, of course. Brian
- [dnsext] DNSSEC, robustness, and several DS recor… Stephane Bortzmeyer
- Re: [dnsext] DNSSEC, robustness, and several DS r… Thierry Moreau
- Re: [dnsext] DNSSEC, robustness, and several DS r… Edward Lewis
- Re: [dnsext] dnsextDNSSEC, robustness, and severa… Wes Hardaker
- Re: [dnsext] DNSSEC, robustness, and several DS r… Paul Hoffman
- Re: [dnsext] DNSSEC, robustness, and several DS r… Brian Dickson
- Re: [dnsext] DNSSEC, robustness, and several DS r… W.C.A. Wijngaards
- Re: [dnsext] dnsextDNSSEC, robustness, and severa… Edward Lewis
- Re: [dnsext] DNSSEC, robustness, and several DS r… George Barwood
- Re: [dnsext] DNSSEC, robustness, and several DS r… Paul Hoffman
- Re: [dnsext] dnsextDNSSEC, robustness, and severa… Wes Hardaker
- Re: [dnsext] DNSSEC, robustness, and several DS r… Francis Dupont
- Re: [dnsext] DNSSEC, robustness, and several DS r… Brian Dickson
- Re: [dnsext] DNSSEC, robustness, and several DS r… Francis Dupont
- Re: [dnsext] DNSSEC, robustness, and several DS r… Doug Barton
- Re: [dnsext] DNSSEC, robustness, and several DS r… Mark Andrews
- Re: [dnsext] DNSSEC, robustness, and several DS r… Mark Andrews
- Re: [dnsext] DNSSEC, robustness, and several DS r… Stephan Lagerholm
- Re: [dnsext] DNSSEC, robustness, and several DS r… Doug Barton
- Re: [dnsext] DNSSEC, robustness, and several DS r… Matt McCutchen
- Re: [dnsext] DNSSEC, robustness, and several DS r… Marc Lampo
- Re: [dnsext] DNSSEC, robustness, and several DS r… Stephane Bortzmeyer
- Re: [dnsext] DNSSEC, robustness, and several DS r… Stephane Bortzmeyer
- Re: [dnsext] DNSSEC, robustness, and several DS r… W.C.A. Wijngaards
- Re: [dnsext] DNSSEC, robustness, and several DS r… Tony Finch
- Re: [dnsext] DNSSEC, robustness, and several DS r… Paul Hoffman
- Re: [dnsext] DNSSEC, robustness, and several DS r… Doug Barton
- Re: [dnsext] DNSSEC, robustness, and several DS r… Francis Dupont
- Re: [dnsext] DNSSEC, robustness, and several DS r… Doug Barton
- Re: [dnsext] DNSSEC, robustness, and several DS r… Matt McCutchen
- Re: [dnsext] DNSSEC, robustness, and several DS r… Doug Barton
- Re: [dnsext] DNSSEC, robustness, and several DS r… Francis Dupont
- Re: [dnsext] DNSSEC, robustness, and several DS r… Brian Dickson
- Re: [dnsext] DNSSEC, robustness, and several DS r… Phillip Hallam-Baker
- Re: [dnsext] DNSSEC, robustness, and several DS r… Tony Finch
- Re: [dnsext] DNSSEC, robustness, and several DS r… Phillip Hallam-Baker